Restricting SMTP to encrypted only connections...

Thursday, November 05, 2009 7:02 PMAndy Schmid

0
Sign In to Vote
I have an exchange 2007 server, with all roles installed on a single box.
Most of my users are using native MAPI mode.
However I have a handful of mac and linux users who are connecting with secure IMAP (port 993).
That is working fine.

What my problem is, is that I would like to require users to use SMTP with TLS (over port 587).
Under my Server configuration, Hub Transport, I have the two default receive connectors, client and default.

Under the client connector properties, it is bound to the correct IP and port, has TLS, Basic Authentication,Offer Basic Authentication only after starting TLS, and Integrated Windows authentication checked.
Under permission groups, only exchange users is check.

So this works great when users specify the correct settings. However, they can still put port 25 and choose none for security settings and connect to it and send mail.
Under the default connector properties, I unchecked exchange users from the permission groups. The only thing that is checked is exchange servers and legacy exchange servers. The network tab has the correct settings and bound to port 25.

So why can they still use this connector, if exchange users is unchecked from permission groups? Do I need to restart any services? I did try restarting the Microsoft Exchange Transport service but they can still send e-mail through port 25 unsecure.

Please help.
- Reply
- Quote

Answers

Friday, November 06, 2009 11:01 AMBenhaha

0
Sign In to Vote
Hi Andy,

I assume you have set up two connectors, one on Port 25 and one on port 587, so you can configure them differently?

They will be able to use the Port 25 connector if either:
1. You have configured it to relay mail from all internal IP addresses (or whichever IP address they are on). You will need to give relay rights to only the IP addresses which need it.
2. They are sending messages to internal users. Because internal users are internal, any IP address can send messages to them. You may want to configure the Port 25 connector to DENY connect priveleges to internal IPs.
Cheers,
Ben
- Proposed As Answer byBenhaha Friday, November 06, 2009 10:21 PM
- Marked As Answer byMike ShenMSFT, ModeratorFriday, November 20, 2009 9:15 AM
- Reply
- Quote
Friday, November 13, 2009 3:11 AMMike ShenMSFT, Moderator

0
Sign In to Vote
Hi Andy,

After the Exchange users are unchecked from Receive Connector, the users is still able to submit by using Anonymous Account. By default, the Anonymous Account is allowed to send email to internal recipient. Nevertheless, the Anonymous Account is not allowed to relay email to external recipients.

Therefore, as I explained in previous post, if the Exchange server is used to receive external message, the Anonymous Account needs to be enabled. In order to avoid internal users to use the Receive Connector to submit message, you need to run following command to disable internal users to submit message by using the Anonymous Account:

Get-ReceiveConnector “DC\Default DC” | Remove-Adpermission -User "NT AUTHORITY\ANONYMOUS LOGON" –ExtendedRights “Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

If the uses are still able to send message by using 25 port receive connector, would you please help me gather related protocol log for the Receive Connector to check how the message submit the message.

Thanks,

Mike
- Marked As Answer byMike ShenMSFT, ModeratorFriday, November 20, 2009 9:16 AM
- Reply
- Quote

All Replies

Friday, November 06, 2009 7:28 AMMike ShenMSFT, Moderator

0
Sign In to Vote
Hi Andy,

Would you please let me know whether the Exchange server is used to receive external messages directly? If yes, I would like to explain the Anonymous users group needs to be selected on the Default Receive Connector in order to for external mail server to deliver message to you. If the Anonymous Group is selected, your SMTP client is able to submit message by using Anonymous account. Nevertheless, I think that you are run following command to disable the internal users use Anonymous account to submit email:

Get-ReceiveConnector “Default Receive Connector” | Remove-Adpermission -User "NT AUTHORITY\ANONYMOUS LOGON" –ExtendedRights “Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

In addition, you need to unselect “Intergrated Windows authentication” option for default Receive Connector.

After performing above steps, please restart Transport service and check whether the issue persists

For more information regarding receive connector:

Receive Connectors

http://technet.microsoft.com/en-us/library/aa996395.aspx

Mike
- Reply
- Quote
Friday, November 06, 2009 11:01 AMBenhaha

0
Sign In to Vote
Hi Andy,

I assume you have set up two connectors, one on Port 25 and one on port 587, so you can configure them differently?

They will be able to use the Port 25 connector if either:
1. You have configured it to relay mail from all internal IP addresses (or whichever IP address they are on). You will need to give relay rights to only the IP addresses which need it.
2. They are sending messages to internal users. Because internal users are internal, any IP address can send messages to them. You may want to configure the Port 25 connector to DENY connect priveleges to internal IPs.
Cheers,
Ben
- Proposed As Answer byBenhaha Friday, November 06, 2009 10:21 PM
- Marked As Answer byMike ShenMSFT, ModeratorFriday, November 20, 2009 9:15 AM
- Reply
- Quote
Wednesday, November 11, 2009 11:03 AMMike ShenMSFT, Moderator

0
Sign In to Vote
Hi Andy,

Any update regarding the issue?

Thanks,
Mike
- Reply
- Quote
Thursday, November 12, 2009 7:27 PMAndy Schmid

0
Sign In to Vote
so, if i'm reading this correctly, even though exchange users is unchecked from the permissions of the port 25 smtp connector, they can use it to relay if they are sending to an internal user?
But if they try and send to an external, it will get denied?

This is fine, but I just want to make sure my understanding is correct.
I'm trying to force all IMAP users to use the encrypted 587 SMTP for outgoing mail.
- Reply
- Quote
Friday, November 13, 2009 3:11 AMMike ShenMSFT, Moderator

0
Sign In to Vote
Hi Andy,

After the Exchange users are unchecked from Receive Connector, the users is still able to submit by using Anonymous Account. By default, the Anonymous Account is allowed to send email to internal recipient. Nevertheless, the Anonymous Account is not allowed to relay email to external recipients.

Therefore, as I explained in previous post, if the Exchange server is used to receive external message, the Anonymous Account needs to be enabled. In order to avoid internal users to use the Receive Connector to submit message, you need to run following command to disable internal users to submit message by using the Anonymous Account:

Get-ReceiveConnector “DC\Default DC” | Remove-Adpermission -User "NT AUTHORITY\ANONYMOUS LOGON" –ExtendedRights “Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

If the uses are still able to send message by using 25 port receive connector, would you please help me gather related protocol log for the Receive Connector to check how the message submit the message.

Thanks,

Mike
- Marked As Answer byMike ShenMSFT, ModeratorFriday, November 20, 2009 9:16 AM
- Reply
- Quote
Tuesday, November 17, 2009 11:58 AMBenhaha

0
Sign In to Vote
Hi Andy,

Yes, That is correct. This is because the Exchange server has to accept messages destined for local users or no-one outside would be able to send messages. Exchange doesn't know who they are because they don't need to log in to send to an internal user, so Exchange cannot apply permissions.

Good luck.

Cheers,
Ben
- Reply
- Quote